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(57) Abstract 

Methodology and concomitant 
circuitry to generate cryptographically 
strong pseudo-random bit streams 
utilize secure block cypher encoders. 
Each block cypher encoder (550) has 
a random key (540) and a first seed 
(510) as an input, and the output of 
each encoder is fed back to connect 
to its input. The fiisi seed serves as 
the initial input, and each subsequent 
input is the immediate output of 
the block cypher encoder. Each 
bit in the cryptographically strong 
pseudo-random bit stream is related to 
a first inner product between input to 
the block cypher encoder and a second 
seed (520) and a second inner product 
(560) between the random key and a 
third seed (570). 
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AN IMPROVED PSEUDO-RANDOM GENERATOR 

Relaced Patent and Application 

Reference is made to U.S. Patent Serial No. 5.420,928. entitled 'Pseudo- 
Random Generator" which issued on May 30. 1994 for W. A. Aiello and R. Venkaiesan. 
5 the applicants of the present application, and co-pending Application Serial No. 
08/286,161, entided "Pseudo- Random Generator" filed on August 4. 1994, for W. .A. 
Aiello. S. Rajagopalan. and R. Venkaiesan wherein related inventions are disclosed and 
claimed and which are hereby incorporated by reference. 

Field of the Invention 

10 This invention relates generally to pseudo-random bit generators and. 

more specifically, to circuitr>' and concomitant methodology for generating 
crvptographically strong pseudo-random bits. 

Background of the Invention 

A very large number of important processes and methods use an auxiliary 
15 input which is assumed to be truly random. Examples of such processes and methods 
include soning, simulation and testmg of complex systems, encryption, and many other 
cryptographic primitives. Producing a truly random auxiliary input of sufficient length is 
difficult. Typically, the auxiliary input is produced by a pseudo-random bit generator. 
Informally, a pseudo-random bit generator is any process or method which takes a short 

20 truly random string and produces a long "pseudo-random" string. 

Many pseudo-random bit generators have been proposed and discussed in 
prior art literature, such as the popular linear congruential bit generator. In evaluating 
the utility of these bit generators, the conventional approach is to subject each bit 
generator to a standard regimen of empirical and analytical statistical tests to determine if 

25 the generators produce acceptable random bits. Those generators that pass the standard 
tests are often assumed to produce sufficiently good pseudo-random bit streams for the 
various purposes for which they are to be employed. 

However, this assumption may be erroneous. For instance, it has been 
shown that the linear congruential bit generator is hardly general purpose since, after 

30 observing its outputs for a short period, it becomes possible to compute the future outputs 
correctly. It has also been shown how to predict the bits of the following generator: 
given a polynomial, output successive digits of the algebraic number denned by the 
polynomial. As another example, Monte Carlo simulations of a well-known physicai 
system were recently shown to give results far from the known values when several 
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well-known generators were used as input for the simulations. 

While certain traditional generators may not be general purpose, they may 
be sufficient for cenain purposes. For example, it has been shown that a few simple bit 
generators (including the linear congruentiai) are sufficient, in a rigorous sense, for a fev\ 
5 specific applications. In short, there are examples where the traditional generators are 
known to be sufficient and there are examples where they are known to be insufficient. 
For all other cases there are no guarantees. Moreover, for complex methods and 
processes it is unlikely that the traditional generators will ever be proven to produce 
sufficiently random output. 

10 Most recently, a different approach to pseudo-random bit generation has 

been developed based on the theory of "one-way" functions. For the immediate 
discussion, a one-way function is a function that is easy to compute but hard to invert for 
an overwhelming fraction of its range. With this notion in mind, a "crypiographically 
strong pseudo-random (CSPR) bit generator" is a generator that takes a short, truly 

15 random seed as input, then repeaiiy uses a one-way function to produce a long pseudo- 
random string of bits such that there is no feasible technique or procedure which can 
distinguish between the outputs of a CSPR bit generator and a truly random string of bits. 
It is also known that a CSPR bit generator will pass all statistical tests whose running 
limes are small compared to the time required to invert the one-way function. In 

20 particular, using CSPR bits rather than truly random bits in test or other application 

environments whose running times are small with respect to the time to inven a one-way 
function will not impact on the results in any demonstrable way. 

In addition to the many direct applications of CSPR bit generators 
mentioned previously, these bit generators may be used to compute cryptographically 

25 strong pseudo-random functions (CSPR functions). These functions lake two parameters, 
namely, a function index and a function input. For a randomly chosen fixed index, an 
adversary with no knowledge of the index cannot choose a function input and then 
predict even a single bit of the resulting function value in a feasible amount of time. This 
is true even if the adversary has already seen many function values for many function 

30 inputs of its choosing. 

CSPR functions have several applications. Two important applications 
are as follows. First, they can be used in a simple protocol for identifying party A to pany 
B over a non-secure channel when A and B share a secret key. The shared key is used as 
a CSPR function index. B queries any pany on the channel claiming to be A with a 

35 random function input. Only A will be able to return the correct function value. 

Second, CSPR functions can be used to distribute independent random 
bits to each of the processes in a parallel or distributed computation. A single seed is first 
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broadcast to each process. This shared seed is used as the CSPR function index. L'sing 
its process identification number as a function input, each process computes a CSPR 
function value as its random seed. Each process may now use this seed and a CSPR bit 
generator to compute CSPR bris for its own use. 

In prior Patent '928. cr>'ptographicaIly strong pseudo-random bit 
generators and functions are implemented by circuitry and concomitant methodologies 
which utilize secure block cypher encoders to implement a cryptographically strone 
pseudo-random bit generator. Broadly, in accordance with our prior patent application, a 
stream of cryptographically strong pseudo-random bits is generated from first and second 
seeds, of the same length, and a block cypher encoder having a fixed random encoder 
key. The first seed ser\'es as the first input to the block cypher encoder Each subsequent 
input to the block cypher encoder is provided as the last output of the block cypher 
encoder. Each bit in the stream of cryptographically strong pseudo-random bits is 
determined in correspondence to an inner product between the input to the block cypher 
15 encoder and the second seed. 

In accordance with another serial aspect of the present invention, a stream 
of cryptographically strong pseudo-random bits is generated from a first seed and a 
plurality S of second seeds, all seeds being of the same length, and a block cypher 
encoder having a fixed random encoder key. The first seed serves as the first input of the 
20 block cypher encoder. Each subsequent input to the block cypher encoder is provided as 
the last output of the block cypher encoder. S consecutive bits in the stream of 
cryptographically strong pseudo-random bits are determined in correspondence to S 
distinct inner products between the input to the block cypher encoder and the S second 
seeds. 



25 Summai^ of the Invention 

In accordance with our present invention, we have found that an improved 
cryptographically strong pseudo-random bit generator can be realized by a method and 
circuitry wherein a third seed of the same length as the fixed random encoder key is 
employed, with the output bit being generated in correspondence with a first inner 

30 product between the input of the block cypher encoder and the second seed and a second 
inner product between the third seed and the fixed random encoder key. 

The organization and operation of our present invention will be 
understood from a consideration of the detailed description of the illustrative 
embodiment, which follows, when taken in conjunction with the accompanying drawing. 
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Brief Description of the Drawing 

FIG. I is a block diagram of seriai. cryptographicaliy strong random bit 
generator in accordance with a prior invention. 

FIG. 2 is a blodc diagram of another serial, cryptographicaliy strong 
5 random bit generator in accordance with a prior invention. 

FIG. 3 is a block diagram of a parallel, cryptographicaliy strong random 
bit generator in accordance with a prior invention. 

FIG. 4 is a block diagram of a serial, secure, cryptographicaliy strong 
random bit generator in accordance with a prior invention. 
10 FIG. 5 is a block diagram of an illustrative embodiment of a serial 

cryptographicaliy strong random bit generator in accordance with an aspect of our 
present invention. 

FIG. 6 is a block diagram of another illustrative embodiment of a serial 
cryptographicaliy strong random bit generator in accordance with an aspect of our 
1 5 present invention. 

Detailed Description 

By way of introducing terminology and notation useful in elucidating our 
present invention, an overview discussion and illustrative einbodimenis in accordance 
with the invention of our prior jpatent are described before the description of our present 
20 invention. 

Overview 

A "feasible" computation on inputs of length M takes lime proponional to 
M, M*. or M . where C is some fixed constant. "Infeasible" computations are those that 
are not feasible. A function F is "one-way" if it is feasible to compute but infeasible to 

25 invert for a random element in its range. A function is a one-way "permutation" if it is 
one-way and, in addition, length preserving and one-to-one, that is, if F(x) = y, then the 
lengths of x and y are equal and for every y there is exactly one x. Hereafter, F will 
denote a one-way permutation. 

Two distributions |i i , ji2 on binary strings are "indistinguishable" if any 

30 feasible computation that guesses that a given siring is generated under [ix or ^2 
succeeds with probability l/2+e(n) where e(n)is negligible, that is, e(n)=l/T(n) and 
T(n) is the running time of some infeasible computation. A "cryptographicaliy strong 
pseudo-random distribution ' is indistinguishable from the uniform distribution. 

A cryptographicaliy strong pseudo-random bit generator G accepts a 

35 random seed x of length X and outputs a longer bit string y of length Y=X^^ * ^ and the 
output distribution is pseudo-random. This means that even a single bit of y cannot be 
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predicted by looking at other bits of y. 

Whereas the most recent realizations disclosed in the prior an to configure 
cryptographically-strong pseudo-random bit generators utilize one-way functions, the 
subject matter in accordance with the present invention is based on a block cypher 
encoder; such an encoder may be realized via the Data Encryption Standard (DES). as 
published by the National Bureau of Standards. Depanment of Commerce. FIPS. pub 46. 
January. 1977. DES has a reasonably fast implementation and is commercially available: 
for example, device type VM009 available from the VLI Technology Inc. of Tempe. AZ 
implements DES. A block cypher encoder takes as input a random key k and an input 
string X of size X to produce an output string of size X. For a fixed key k, the output y of 
a block cypher encoder, denoted F(k,x), is a permutation. In addition, the present 
invention makes more efficient use of the input seeds than the realizations in the prior art. 

Embodiments of our Prior Invention 
As alluded to in the Overview, the generators of both our prior and the 
15 present invention are made practical by basing them on "block cyphers" encoders. One 
manner in which a block cypher encoder is used as a fundamental component to 
construct a cryptographically strong pseudo-random bit generator is set forth with 
reference to RG, 1. In FIG. I, a serial block cypher encoder is depicted by element 150: 
the permutation effected by block cypher encoder 150 is denoted F. A fixed random key 
20 k. provided by random key generator 140, serves as one input to block cypher 
encoder 150 via bus 141. The other input to block cypher encoder is provided via 
bus 131 from an input register 130, which is shown as providing a set of bits denoted x, 
on output bus 13 L Input register 130 has two inputs, namely, the first seed x^ as 
provided by first seed generator 1 10 over bus 1 1 1 . and the output of block encoder 150, 
25 denoted Xj+,, as provided by feedback bus 151. Input register 130 operates so that Xi is 
first assigned the value Xq. whereas any of the subsequent value of Xj is provided by 
overwriting the last value of Xj with the updated value Xj^ j . The input xj to encoder 150 
also serves as one input to inner product device 160, also via bus 131. In addition, inner 
product device 160 has as an input, via bus 121. the second seed h produced by second 
30 seed generator 120. In general, the length of the first and second seeds are the same. The 
length of the random key does not need to be the same length as the first and second 
seeds; the size of the random key usually depends on how the block cypher works. Inner 
product device 160 determines an inner product, represented by <x.,h>sb-, as follows: 
(a) compute the bitwise AND of Xj with h; and (b) output as the inner product result the 
35 parity of all bits from the bitwise .ANDing, that is, output a 0 if there are an even number 
of one bits, and a 1 if there are an odd number of one bits. Each bj bit is sequentially 
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provided on output lead 161. 

Another embodiment in which a block cypher encoder is used as a 
fundamental component to construct a cryptographically strong pseudo-random bit 
generator is set fonh with reference to HG. 2. In FIG. 2, a serial block cypher encoder is 
5 depicted by element 250; the permutation effected by block cypher 250 is denoted F. A 
fixed random key k, provided by random key generator 240, serves as one input to block 
cypher encoder 250 via bus 24 1. The other input to block cypher encoder is provided via 
bus 23 1 from an input register 230, which is shown as providing a set of bits denoted x, 
on output bus 23 1. Input register 230 has two inputs, namely, the first seed Xq as 
10 provided by first seed generator 210 over bus 211, and the output of block encoder 250. 
denoted x i . as provided by feedback bus 25 1. Input register 230 operates so that x, is 
first assigned the value xq, whereas any the subsequent value of Xj is provided by 
overwriting the last value of X; with the updated value Xi + i . The input Xj to encoder 250 
also serves as one input to inner product device 260, also via bus 231. In addition, inner 

15 product device 260 has as inputs, via bus 221, the S second seeds hi,h2 hs produced 

by second seed generator 220. In general^ the length of the fi.-: seed, the S seeds, and the 
random key are all the same. Inner product device 260 determines, during the i^*^ cycle, a 

set of S inner products, the set being represented by {<Xphj>. <x.»h^> <Xj,h5>) (or 

as <Xi,h> in compact notation), as follows: (a) compute the bitwise AND of Xj with h,, 

-0 j=l. 2 S; and (b) output as the j'^ inner product result the parity of all bits from the 

bitwise ANDing, that is, output a 0 if there are an even number of one bits, and a 1 if 
there are an odd number of one bits. The result of the j*** inner product is a bit. denoted 
bj. which is the j*^ bit in the set of S consecutive bits that compose the stream of 
cryptographically strong pseudo-random bits that appear on output bus 261 of inner 

25 product device 260. Another way to represent the output on bus 26 1 for the i^** cycle is 

bjj, jssl, 2 S, as depicted in FIG. 2 

Yet another manner in which block cypher encoders are used as 
fundamental components to construct a cryptographically strong pseudo-random bit 
generator is set forth with reference to FIG. 3. In FIG. 3, one block cypher encoder in an 

30 arrangement of parallel block cypher encoders 350, 355, ... is depicted by element 350; 
the permutation effected by each block cypher encoder is denoted F. Elements 310, 320. 
330, 340, 350, and 360 in FIG. 3 operate in the same manner as described with respect to 
elements 1 10. 120, 130, 140, 150, and 160 in HG. 1. Similarly, elements 315, 325, 335. 
345. 355, and 365 in FIG. 3 operate in the same manner as described with respect to 

35 elements 1 10. 120, 130, 140, 150, and 160 in FIG. 1; and so fonh for the remaining 
encoders (not shown). 

In particular, fixed random key k . , provided by random key 
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generator 340, serves as one input to block cypher encoder 350 via bus 34 1 . The other 
input to block cypher encoder is provided via bus 33 1 from an input register 330. which 
is shown as providing a set of bits denoted x j on output bus 33 1 . Input register 330 has 
two inputs, namely, the first seed xq as provided by first seed generator 310 over bus 3 \ I. 
5 and the output of block encoder 350, denoted j . as provided by feedback bus 35 i 
Input register 330 operates so chat is first assigned the value xq. whereas any the 
subsequent value of Xj' is provided by overwriting the last value of xj with the updated 
value x,^ 1 . The input x,' to encoder 350 also serves as one input to inner product 
device 360, also via bus 331. In addition, inner product device 360 has as an input, via 

10 bus 321. the second seed h* produced by second seed generator 320. In general, the 
length of the first xq and second h * seeds and the random key k ' are the same. Inner 
product device 360 determines an inner product, represented by <x/ ,h>= hj . as follows: 
(a) compute the bitwise ,\ND of s/ with h^ ; and (b) output as the inner product result the 
parity of all bits from the bitw ise .\NDing. that is. output a 0 if there are an even number 

15 of one bits, and a 1 if there are an odd number of one bits. Each b/ bit is provided on 
output lead 361. 

In addition, fixed random key k^. provided by random key generator 345, 
serves as one input to block cypher encoder 355 via bus 346. The other input to block 
cypher encoder is provided via bus 336 from an input register 335, which is shown as 

20 providing a set of bits denoted xp on output bus 336. Input register 335 has two inputs, 
namely, the first seed xg as provided by first seed generator 315 over bus 316, and the 
output of block encoder 355. denoted xf^ i , as provided by feedback bus 356. Input 
register 335 operates so that xf is first assigned the value xg, whereas any the subsequent 
value of xf is provided by overwriting the last value of x,^ with the updated value x?^ j . 

25 The input xf to encoder 355 also serves as one input to inner product device 365, also via 
bus 335. In addition^ inner product device 365 has as an input, via bus 326, the second 
seed h^ produced by second seed generator 325. In general, the length of the first Xq and 
second h^ seeds and the random key k" are the same. Inner product device 365 
determines an inner product, represented by <xr ,h>s bf . as follows; (a) compute the 

30 bitwise AND of sj^ with h ' : and (b) output as the inner product result the parity of all bits 
from the bitwise ANDing, that is. output a 0 if there are an even number of one bits, and 
a 1 if there are an odd number of one bus. Each bf bit is provided on output lead 361. 

Finally, to control the production of the parallel bits bl . bp. ... during the 
i^^ cycle, timing device 370 is coupled to each block cypher encoder 330, 335. ... and 

35 each inner product device 360, 365, ... to output the parallel bits during a desired cycle 
time interval. 

All of the above implementations have considered feeding back the output 
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of a given block cypher encoder to its input to provide what is, in effect, a sequence of 
random seeds for processing. To provide an added measure of security, the 
implementation of FIG. 4 is employed. In particular, with reference to FIG. 4. two block 
cypher encoders 450 and 455 are used as fundamental components to construct a 
5 cryptographically strong pseudo-random bit generator. In FIG. 4, a first block cypher 
encoder is depicted by element 450 and a second block cypher encoder is depicted by 
element 455; the permutation effected by each block cypher encoder is denoted F. The 
output of block cypher encoder 450 is connected to the input of block cypher encoder via 
bus 451. A first fixed random key k j . provided by random key generator 440, serves as 

10 one input to block cypher encoder 450 via bus 441 . A second fixed random key ki, 
provided by random key generator 445, serves as one input to block cypher encoder 455 
via bus 446. The other input to block cypher encoder is provided via bus 43 1 from an 
mput register 430. which is shown as providing a set of bits denoted xj on output 
bus 43 1. Input register 430 has two inputs, namely, the first seed x^ as provided by first 

15 seed generator 410 over bus 411, and the output of block encoder 455, denoted x, ^ i , as 
provided by feedback bus 456. Input register 430 operates so that Xj is first assigned the 
value xq, whereas any subsequent value of Xj is provided by oveiwriting the last value of 
X i with the updated value x j ^ i . The input x , to encoder 450 also serves as one input to 
inner product device 460, also via bus 43 1 . In addition, inner product device 460 has as 

20 an input, via bus 421, the second seed h produced by second seed generator 420. In 
general, the length of the first and second seeds and the random keys k | and k 3 are the 
same. Inner product device 460 determines an inner product, represented by <x.,h>sb-, 
as follows: (a) compute the bitwise AND of x. with h; and (b) output as the inner product 
result the parity of all bits from the bitwise ANDing, that is, output a 0 if there are an 

25 even number of one bits, and a 1 if there are an odd number of one bits. Each b| bit is 
sequentially provided on output lead 46 L 

Embodiment of our present Invention 
An illustrative embodiment of our present invention, in which a block 
cypher encoder is used as a fundamental component to construct a cryptographically 

30 strong pseudo-random bit generator 500. is set forth in Fig. 5. Similar to the bit generator 
of Fig. 1, the bit generator 500 of Fig. 5 includes a first seed generator 510, which outputs 
a first seed, Xo. and a second seed generator 520, which outputs a second seed, h. Bit 
generator 500 also includes a serial block cypher encoder 550, which effects the 
permutation. F, and outputs x ,.^ i , and a random key generator 540, which generates a 

35 fixed random key. k. Bit generator 500 funher includes an input register 530 which 
receives as inputs the first seed, xq. over bus 51 1 from the first seed generator 510 and 
the output from the block cypher encoder 550. x,.;. i via feedback bus 551, and which 
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outputs a set of bits, x,. As in Fig. I. input register 530 assigns x, the value of xo, and 
assigns any subsequent value of x. by overwriting the last value of x^ wich the updated 
value of Xi^ I , The bit generator 500 also includes an inner product device 560 which 
receives as inputs Xj via bus 531 from input register 530, and h from the second seed 
5 generator 520 via bus 52 1 . 

Distinct from the bit generator of Fig. 1, bit generator 500 includes a third 
seed generator 570 which outputs a third seed H over bus 526 as an input to the inner 
product device 560. Also distinct from the bit generator of Fig. I, the inner product 
device 560 receives as an input random key, k. from random key generator 540 via bus 

10 542. The length of the third seed, H. is the same as the length of random key, k. The 
inner product device 560 computes an output, bj. which is a cryptographically stronger 
pseudo-random bit and wherein <Xi, h> + <k,H> = bj, by computing a first nner product 
of X, and h (<Xj. h>) and a second inner product of k and H (<k,H>), then XORing the 
first and second inner products and ouiputting. as the XORed result, the parity of all bits 

15 from the bitwise XORing of the first and second inner products. These distinctions can 
be employed in any of the aforementioned illustrative embodiments to produce an 
pseudo-random bit that is cryptographically even stronger. As shown in Fig. 6, these 
distinctions are employed in combination with a second seed generator 620 which 
generates S second seeds (h | , h^. ... hj), as similarly shown in. and described above in 

20 connection with. Fig, 2. In this embodiment, the inner product device 660 outputs via 
bus 661 pseudo-random, bits by. wherein b^j = <Xi. hj>0-i-<k, H>. forj = 1, 2 S. 

Conclusion 

It is to be understood that the above-described embodiment is simply 
illusu-aiive of the principles in accordance with the present invention. Other 
25 embodiments may be readily devised by those skilled in the an which may embody the 
principles in spirit and scope. Thus, it is to be funher understood that the circuit 
arrangement described herein is not limited to the specific forms shown by way of 
illustration but may assume other embodiments limited only by the scope of the 
appended claims. 
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What IS claimed is: 

L A method for generating a stream of cryptographically strong pseudo- 
random bits with a block cypher encoder having a fixed random encoder key, first and 
second seeds of the same length, and a third seed of the same length as the fixed random 
encoder key, the method comprising the steps of 

(a) inputting the first seed as the first input to the block cypher encoder. 

(b) generating an output bit in the stream in correspondence with a first 
inner product between the input of the block cypher encoder and the second seed, and a 
second inner product between the third seed and the fixed random encoder .kev; and 

fc) feeding back the output of the block cypher encoder as the next input 
to the block cypher encoder, and returning to step (b). 

2. The method as recited in claim I wherein said step of generating said output 
bit includes the steps of 

bitwise XORing said first and second inner products and 
ouipuiting the parity of said bitwise XORing step as said output bit. 

3. Circuitry for generating a stream of cryptographically strong pseudo-random 
bits utilizing first and second seeds of the same length, and a third seed, the circuitry 
composing 

a block cypher encoder having a fixed random encoder key of the same 
length as the third seed, 

means, coupled to the input to said block cypher encoder, for inputting the 
first seed as the first input to said block cypher encoder, 

means, coupled to the input of said block cypher encoder, for generating 
an output bit in the stream in correspondence with a first inner product between the input 
of said block cypher encoder and the second seed, and a second inner product between 
the third seed and said fixed random encoder key, and 

means, coupled to the input and output of said block cypher encoder, for 
feeding back the output of said block cypher encoder to the input of the block cypher 
encoder. 

-f. The circuitry as recited in claim 3 wherein means for generating said output 
bit includes 

means, coupled to the input of said block cypher encoder, for bitwise 
XORing the said first and second inner products and 

means, coupled to said means for bitwise XORing, for determining the 
parity of the output of said means for bitwise XORing and for outputting said parity as 
said output bit. 
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5. Circuitry for generating a stream of cryptographically strong pseudo-random 
bits utilizing a nrsi seed, S second seeds, and a third seed, the circuiirv- comprising 

a block cypher encoder having a fixed random encoder key of the same 
length as the third seed, 

means, coupled to the input of said block cypher encoder, for mputtms the 
first seed as the first input to said block cypher encoder, 

means, coupled to the input of said block cypher encoder, for generating S 
output bits in the stream in correspondence with S first inner products between the mput 
of said block cypher encoder and each of the S second seeds, and a second inner product 
between the third seed and said fixed random encoder key. 

means, coupled to the input and output of said block cypher encoder, for 
feeding back the output of said block cypher encoder to the input of said block cypher 
encoder. 

6. The circuitry as recited in claim 5 wherein said means for generating said S 
output bits includes 

means, coupled to the input of said block cypher encoder, for bitwise 
XORing each of said S first inner products and said second inner product, and 

means, coupled to said means for bitwise XORing, for determining the 
parity of the output of said means for bitwise XORing and for outputting said parity. 

7. A method for generating a stream of cryptographically strong pseudo- 
random bits with a block cypher encoder having a fixed random encoder key, a first seed 
and S second seeds of the same length, and a third seed, the method comprising the steps 
of 

(a) inputting the first seed as the first input to the block cypher encoder, 

(b) generating S output bits in the stream in correspondence with S first 
inner products between the input of the block cypher encoder and each of the S second 
seeds, and a second inner product between the third seed and the fixed random encoder 
key, and 

(c) feeding back the output of the block cypher encoder as the next input 
to the block cypher encoder, and returning- to step (b). 

8. The method as recited in claim 7 wherein said step of generating said S 
output bits includes the steps of 

bitwise XORing each of said S first inner products and said second inner 

product, and 

outputting the parity of said bitwise XORing step as the corresponding 
one of said S output bits- 
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